Workspace ONE UEM management modes

Overview

Device deployment within an organization can be complex. Some devices may be corporate owned, while others are employee owned. Certain users may not be full time, for example contractors or temporary workers, and may report to multiple organizations. Required security levels may differ across industries.

Regardless of employee or device type, technology should remain transparent and avoid hindering productivity or user experience.

The Workspace ONE® platform supports evolving device management requirements while delivering a consistent onboarding experience across device makes, models, and employee personas.

Purpose of this guide

Workspace ONE® Unified Endpoint Management™ (UEM) provides several modes to manage devices with varying levels of control for the administrator and privacy for the user. This document will introduce you to the options and uses for each mode.

Audience

This document is intended for IT administrators and product evaluators who are familiar with Omnissa Workspace ONE UEM. Knowledge of other technologies, such as Omnissa® Access™ and Omnissa® Intelligence™, is also helpful.

Management mode terminology

To support a wide range of use cases, Workspace ONE UEM provides several options for device management.

Figure 1: Terminology found in the Workspace ONE UEM admin console mapped to industry terms

UEM managed

Device-level management (UEM managed) requires users to enroll their devices before accessing work applications or resources. During enrollment, a mobile device management (MDM) profile is downloaded to the device. Workspace ONE UEM leverages APIs within the device operating system to enforce management policies and retrieve device data. This method offers the highest level of administrative control, encompassing policies, restrictions, attestation, compliance, conditional access to internal resources, and device remediation.

UEM managed deployment is generally used for corporate owned devices, but many organizations may require this level of management and security even for employee-owned devices.  Other terminology that may be used includes “MDM-managed”, “fully managed”, and “device-level management”. Fully MDM managed devices rely on a single MDM provider. UEM Managed devices in the Workspace ONE UEM admin console consume a device license.

OS partitioned

OS partitioned management is enabled by Workspace ONE UEM using Android Work Profile or Apple User Enrollment. OS partitioned management isolates work from personal apps and data, giving administrators control of the work side while preserving user privacy. OS partitioned devices show as “UEM Managed” in the Workspace ONE admin console, since UEM manages resources within the work-side partitioned area. This configuration requires a device license.

Hub Registered mode

Hub Registered mode enables application access through Workspace ONE® Intelligent Hub™ without device-level management or an MDM profile. In the UEM console, devices show as “Registered” rather than “Managed”. Administrators can retrieve only limited device information; therefore, Hub Registered mode preserves user privacy and is wellsuited for BYOD, temporary or contract workers, and other scenarios requiring quick access to corporate resources without full device management. Hub Registered devices still consume a device license because lightweight management is possible.

Note: UEM administrators can import a list of device serial numbers into the Workspace ONE UEM console to preapprove and preconfigure devices for enrollment. These devices are not yet enrolled, so they do not consume a device license and should not be mistaken for Hub Registered devices, which do consume a license.

App-level management

Applevel management utilizes Workspace ONE productivity apps, such as Workspace ONE Boxer™, Workspace ONE Content, and Workspace ONE Tunnel, to run standalone without devicelevel or Hub Registered management. For example, users who need only email access can use Workspace ONE Boxer without requiring full device management. You may also encounter the term MAM, which stands for Mobile Application Management, or 'standalone mode'. App-level managed devices will consume a UEM device license.

Windows management modes

When managing Windows endpoints with Workspace ONE UEM, there are three different management mode options:

  • UEM Managed – Utilizing both the OMA-DM protocol and Intelligent Hub management
  • Hub Managed – Intelligent Hub management without OMA-DM client enrollment
  • Hub Registered – As in the discussion above, the device is registered in the UEM console, but not managed by UEM

Figure 2: Windows management mode options in the Workspace ONE UEM console

Check out this detailed Tech Zone article to understand Windows management modes and when to use each option.

Management mode comparison

The following section will cover the key differences between Workspace ONE UEM management modes.

A screenshot of UEM Device Management modes.

Figure 3: Device management mode comparison

Administrators have different levels of control depending on the management mode. In UEM Managed mode, administrators have the widest range of options available to configure and secure devices. In Hub Registered mode, limited management functionality requires increased reliance on enduser interaction. For example, in Hub Registered mode, the admin cannot push applications to the device, but instead, the user can access the corporate app catalog and download apps as needed. Essentially, actions are initiated by users, and access to corporate resources is restricted.

Enrolled modes that consume a device license include capabilities for jailbreak detection on iOS and rooting detection on Android. Administrators can enable Workspace ONE Mobile Threat Defense to provide advanced mobile threat protection within Intelligent Hub for iOS and Android devices. Workspace ONE Assist can be used to conduct real-time remote troubleshooting, highlight onscreen elements, record sessions for training purposes, and extend support through other features.

Note that Workspace ONE UEM supports Hub Registered mode across multiple platforms, including Windows, iOS, and Android devices. However, desktop functionality differs from mobile platforms due to operating system differences.

Under App Level management (MAM), Workspace ONE Productivity Apps including Boxer, Web, Content, and Tunnel function independently, without requiring Workspace ONE Intelligent Hub on the device. Policies and restrictions, such as data loss prevention (DLP), can still be configured for the app even though the device is not fully managed. Also note that internally developed applications leveraging the Workspace ONE SDK continue to require the Intelligent Hub app for device registration in the UEM console.

Now let’s cover Workspace ONE Intelligent Hub in a little more detail.

What is Intelligent Hub?

Workspace ONE Intelligent Hub serves as the employee-facing digital workspace application. It not only includes the agent required for device management but also delivers additional services to improve the employee experience, such as a unified app catalog (supporting SaaS, native, web, and virtual apps), access to links and resources, people search, and advanced mobile threat defense.

For more information about Intelligent Hub, see What is Workspace ONE Intelligent Hub?

How do these management modes look from an admin perspective?

In the device List View of the Workspace ONE UEM admin console, devices are categorized as UEM Managed, Hub Registered, or App Level. OS partitioned, as mentioned earlier, is still UEM Managed and will appear with that label in the console.

Figure 4: Device list view in Workspace ONE UEM

Depending on the management mode, administrators can perform different actions on the device and collect various types of data. For example, devices in Hub Registered or App Level management modes do not provide compliance status information.

If we examine the device details page for an iPad and compare UEM Managed to Hub Registered mode, several differences become apparent.

Graphical user interface, application Description automatically generated

Figure 5: Device details page in Workspace ONE UEM for a UEM Managed iPad

Figure 6: Device details page in Workspace ONE UEM for an iPad in Hub Registered mode

In Figure 4, the action bar in the upperright corner offers additional options when the device is UEM Managed. In addition, administrators can query a UEM Managed device to obtain compliance status, operating system version, and serial number. These details are not collected from a Hub Registered device, as seen in Figure 5.

When do I use each management mode?

Even though every organization is unique and there are an unlimited number of scenarios, let’s discuss a few examples.

“I just need email access on my phone.”

The most frequent use case, when users attempt to access corporate resources, involves accessing email on a mobile device. The quickest method for providing email access, when full device management is not necessary, is to leverage App Level management. Users require only Workspace ONE Boxer on their device. With it, they can register the device and gain access to corporate email without the need to download management profiles. This approach is occasionally referred to as “stand-alone Boxer.” The Workspace ONE Productivity applications may be deployed and utilized independently, without requiring installation of Workspace ONE Intelligent Hub. However, the user would not have access to the app catalog, people search, self-service resources, or other services available in Intelligent Hub.

“Contractors need access to internal web applications.”

A contractor may require access solely to an internal web application to fulfill their responsibilities. At the same time, it is essential to preserve user privacy on BYO devices and guarantee secure access to internal resources. There are two approaches to accomplish this.

The first option is to use Workspace ONE Web, the Omnissa secure mobile browser for iOS and Android, in App Level management mode. This approach enables IT to manage only the Workspace ONE Web application and its associated data, while retaining full configuration capabilities for the app.

Data loss prevention (DLP) policies, including passcode requirements, copy/paste restrictions, cache control, and bookmark list management, can be configured and enforced solely within the Workspace ONE Web application.

This option reduces complexity by requiring the end user to download only one application. In this configuration, access is limited to bookmarked sites within the Workspace ONE Web app.

The second option offers a long-term approach by leveraging Workspace ONE Intelligent Hub in Hub Registered mode to extend capabilities to BYO devices. Through the unified app catalog, users can initiate web applications and install native applications directly. You can even use Omnissa Access to require web applications to open in Workspace ONE Web rather than the device’s native browser, ensuring enhanced security and support for network tunneling.

“I need access to corporate Wi-Fi in several offices.”

Access to corporate WiFi is a frequent use case, and automation is critical. Passwordbased authentication issues remain a concern, leading to support issues and complex employee experience.

By integrating the AirWatch Cloud Connector with an internal PKI, organizations can streamline certificate lifecycle management and automate certificate distribution to devices. This enables certificate-based authentication for Wi-Fi and other use cases, such as single sign-on to applications, while providing immediate access to corporate resources.

Certificate-based Wi-Fi authentication requires the device to be fully managed because it depends on access to the device certificate store, which is unavailable in Hub Registered mode.

“I want to apply Zero Trust principles to determine access to internal applications, SaaS, and VDI.”

Enabling external users outside the corporate network to access restricted internal applications is a critical use case. This need has grown with the rise of remote and hybrid work and the shift toward Anywhere Organizations. Effective user identity management is essential, since administrators must distinguish between personas like full time employees and contractors.

The Workspace ONE platform provides a comprehensive solution enabling secure application access based on device and user posture, consistent with Zero Trust principles. Using Omnissa Access, users are authenticated and authorized based on Risk Score and device posture, allowing only compliant devices to access internal applications. This solution integrates device posture data from UEM with machine learning models in Omnissa Intelligence to calculate user risk. Only fully UEM managed devices provide the most reliable user risk score and posture assessment.

Figure 7: Example of Workspace ONE secure access to applications

Summary and additional resources

Workspace ONE provides a flexible platform that delivers an engaging digital workspace to any device supporting any type of user, while ensuring a positive digital employee experience (DEX) and maintaining enterprise-grade security.

Additional resources

For more information about Workspace ONE UEM, explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2026/06/02

  • Updated links and graphics
  • Updated content

2024/10/23

  • Updated links and graphics

2024/01/11

  • Updated content

2022/10/24

  • Originally published as a blog

Author and contributors

Feedback

Your feedback is valuable.

To comment on this paper, contact Omnissa Product Specialists & Technical Enablement at tech_content_feedback@omnissa.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Deployment Considerations Overview Deploy